michaeldynamo

Q: Why is Cisco AnyConnect VPN not working with Yosemite MBP tethered to iPhone 6?

We've encountered an issue here at the office and have found several online threads with the the same problem (such as the Cisco forums):

 

The combination of a Mac running Yosemite (in my case MBP) tethered to an iPhone 6 (running OS8) won't allow the Cisco AnyConnect VPN client to work properly. Once logged in to my VPN account the MBP loses all internet and file server access. So far I've only tested on iPhones with Verizon service.

 

Yosemite MBP and Verizon hotspot device? Works!

Mavericks MBP and iPhone 6? Works!

But no instance of Yosemite MBP and Verizon iPhone 6 has successfully worked.

 

There was a suggestion to disable ipv6 on the MBP, which I did, but this didn't work either.

I've tested on the three most recent versions of AnyConnect, up to 3.1.06...

 

Anyone else encountering this? Anyone with a fix?

 

Thanks!

MacBook Pro with Retina display, iOS 8.1.2

Posted on Dec 16, 2014 2:37 PM

Close

Q: Why is Cisco AnyConnect VPN not working with Yosemite MBP tethered to iPhone 6?

  • All replies
  • Helpful answers

Page 1 Next
  • by OkiePilgrim,Helpful

    OkiePilgrim OkiePilgrim Jan 7, 2015 10:51 AM in response to michaeldynamo
    Level 1 (5 points)
    Jan 7, 2015 10:51 AM in response to michaeldynamo

    Yep, have this issue too and so do many others (like Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot and  Yosemite, iPhone Hotspot and Cisco AnyConnect as well as many over at the Cisco forums). Given that the problem is specific to Yosemite, I'm looking to Apple to address the problem, but assume we'll have to wait on them for that.

     

    My "workaround" is to connect and then remote to a system in our Data Center by IP, but it's a less-than-ideal solution. Would love to hear a workable DNS fix if anyone finds it.

  • by Rufessor,

    Rufessor Rufessor Jan 7, 2015 8:27 PM in response to OkiePilgrim
    Level 1 (0 points)
    Jan 7, 2015 8:27 PM in response to OkiePilgrim

    I can confirm this is indeed broken....

     

     

    Sitting here right now with a brand spankin new mac book pro retina with basically no mods.. its all Apple... and a new iPhone6 and cisco any connect.

     

    I actually can also say that regardless of which device runs cisco any connect (I have on phone and computer) the personal hotspot connection does not work as VPN.  I have one other piece of information... the last bit.

     

    If I connect THIS WAY-

    Anyconnect on Macbook connected to personal hotspot on phone but NO VPN on phone.

    Internet connectivity is there right up to the moment my VPN connects.... then its GONE.... safari displays the NO internet connection message... its like you flipped the off switch... however, as SOON as I terminate the cisco any connect connection -you do NOT need to shut down the app, just close the connection... so cisco any connect thinks its CONNECTED- the application is not stuck, its green light connected and I can disconnect "normally"- the internet connection on the macbook pro comes right back.

     

    IF instead I connect THIS WAY

    NOW... shut down any connect on the macbook pro... turn on any connect in the phone, connect...

    I now have internet connectivity on the macbook pro.... using the VPN configured phone as a personal hotspot... but its not working as a tunnel into the subnet like its supposed to... I cannot connect via terminal to any number of servers that I normally can connect to with cisco any connect on the macbook pro and a more typical 4g wireless router config for internet...

     

    Now the LAST BIT

    When connected the second way, from the computer terminal I can ping google.. but cannot ping servers inside the subnet the phone is connected to..  I note that my cisco any connect VPN is typically configured to be 1 sided, that is to say that the VPN tunnel is used only for local traffic... so even when I am VPN connected and all things are working, if I switch from an internal (VPN Walled) server to google my traffic bypasses VPN to avoid un-necessary traffic on a heavily utilized VPN connection.

     

    I am uncertain what to conclude, but this much is true- VPN from the macbook via cisco any connect using the new OS (up to date TODAY) is DEAD and KILLS all external connections.

     

    VPN on the phone seem to be working, I am unsure how the VPN client is interpreting traffic through the personal hotspot, but its certainly not letting the personal hotspot traffic use the VPN tunnel... but this may be normal.  It is probably not trivial to know if this is normal, or further indications of a problem with the macbook pro OS.

  • by quadrinary,

    quadrinary quadrinary Jan 12, 2015 12:34 PM in response to michaeldynamo
    Level 1 (0 points)
    Jan 12, 2015 12:34 PM in response to michaeldynamo

    All - I have a solution for this problem.

     

    In your AnyConnect Group Policy, go to Advanced > Split Tunneling

     

    for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

     

    for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no". 

     

    For reasons I've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel.

     

    If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

     

    Good luck!

     

    -Tim

  • by Rosebud-YT,

    Rosebud-YT Rosebud-YT Jan 27, 2015 12:40 PM in response to michaeldynamo
    Level 1 (4 points)
    Jan 27, 2015 12:40 PM in response to michaeldynamo

    Here's the fix:  You need to disable IPV6 on the mac.

     

    open a terminal

    type this on one line:

    networksetup -setv6off Wi-Fi

     

    That will disable IPV6.  Now it works.

     

    This is a Verizon problem only.  AT&T doesn't give IPV6 addresses to the tethered computer.  But Verizon does.

     

    Eric

  • by Rufessor,

    Rufessor Rufessor Jan 29, 2015 4:12 PM in response to Rosebud-YT
    Level 1 (0 points)
    Jan 29, 2015 4:12 PM in response to Rosebud-YT

    Can't be right- "Verizon" as the problem... I am AT&T and have this issue.

     

    AS well- disabling this did not fix the VPN issue. Network is good right until you log into VPN server - then your dead. 

  • by ipodlolo,

    ipodlolo ipodlolo Feb 5, 2015 2:38 PM in response to quadrinary
    Level 1 (0 points)
    Feb 5, 2015 2:38 PM in response to quadrinary

    This only allows to use an external DNS. It does not permit for your enterprise DNS to be accessible and hence does not allow you to access enterprise resources by name.

  • by sjsherratt,

    sjsherratt sjsherratt Mar 11, 2015 9:15 AM in response to michaeldynamo
    Level 1 (13 points)
    iPhone
    Mar 11, 2015 9:15 AM in response to michaeldynamo

    Identical problem here w/ AT&T.  Does anyone have a viable workaround ?

  • by George Crawford,

    George Crawford George Crawford Mar 12, 2015 6:41 AM in response to michaeldynamo
    Level 1 (0 points)
    Mar 12, 2015 6:41 AM in response to michaeldynamo

    I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!

  • by sjsherratt,

    sjsherratt sjsherratt Mar 12, 2015 12:02 PM in response to George Crawford
    Level 1 (13 points)
    iPhone
    Mar 12, 2015 12:02 PM in response to George Crawford

    I tried with the 8.2 iOS update, but still can not connect ......

  • by cjaffree,

    cjaffree cjaffree Mar 13, 2015 5:16 PM in response to quadrinary
    Level 1 (0 points)
    Mar 13, 2015 5:16 PM in response to quadrinary

    I can confirm that this workaround worked for me on an ASA5505 running 9.2(2), but not on an ASA5510 running 8.4(5). The only differences in the group-policy configurations between the two is I have "client-bypass-protocol enable" set on the 5505 running 9.2(2), but this does not seem to be available on the 5510 running 8.4(5).

     

    I plan to upgrade the 5510 to 9.1.6 sometime next week and see if this command is supported (or even needed) for this workaround to work.

     

    In detail, what I'm seeing on my Yosemite client when it's NOT working is:

    - /etc/resolv.conf is not found

    - scutil --dns shows the iphone IP as nameserver[0] with no other namservers listed

    - netstat -nr shows default route with "I" flag added. This flag is not present when Anyconnect is not connected nor when connected to my wokraround-enabled 5505 running 9.2(2).

     

    The above behavior is the same whether I am tethered via USB or via wi-fi. I've not attempted bluetooth tethering yet, but I'm suspecting the result may be the same.

     

    Existing connections continue to work, but opening any new connections to anything not through the VPN fails with a "network is unreachable" or similar unreachable message. I haven't tried this with split-tunneling disabled since that would not be a viable solution in my case anyway. Re-adding the default route seems to get traffic flowing, but nothing I've tried has gotten the dns resolver to work. It's possible to use the dig, host, or nslookup commands and reference a specific dns server over the tunnel though, but that doesn't help too much for trying to use applications locally.

     

    Since starting write this, I stumbled upon this Cisco technote: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-cl ient/116016-technote-AnyConnect-00.html that references an older bug https://tools.cisco.com/bugsearch/bug/CSCtz86314 . My symptoms seem to be exactly as described in these docs and then some. Both do mention that version 9.0 or better is needed for the workaround to work though.

     

    Hopefully, my 5510 will far better following the upgrade next week.

     

     

    My 5505's group-policy settings, for reference:

     

    group-policy vpn1_policy attributes

    dns-server value 172.24.0.128 172.24.0.129

    vpn-simultaneous-logins 2

    vpn-idle-timeout 10

    vpn-filter value vpn1-acl

    vpn-tunnel-protocol ssl-client

    password-storage disable

    split-tunnel-policy tunnelspecified

    split-tunnel-network-list value vpn1-acl

    default-domain value xnxnxn.com

    split-tunnel-all-dns disable

    client-bypass-protocol enable

    webvpn

      anyconnect keep-installer installed

      anyconnect ssl keepalive 290

      anyconnect dpd-interval client 10

      anyconnect dpd-interval gateway 30

      anyconnect ask none default anyconnect

  • by timw95,

    timw95 timw95 Apr 10, 2015 2:22 PM in response to cjaffree
    Level 1 (0 points)
    Apr 10, 2015 2:22 PM in response to cjaffree

    Upgrading my ASA5512 to 9.2(3) and adding "client-bypass-protocol enable" to my SSLVPN group-policy attributes resolved the issue for me.

  • by dinmakers,

    dinmakers dinmakers Apr 13, 2015 2:30 AM in response to michaeldynamo
    Level 1 (4 points)
    Apr 13, 2015 2:30 AM in response to michaeldynamo

    Don't know if this helps anybody:

     

    Check the WIFI DNS.  I only had my routers IP in there.  When I added:

     

    62.6.40.162

     

    194.74.65.69

     

    It fixed it.

  • by iacuser,

    iacuser iacuser Apr 30, 2015 2:39 PM in response to dinmakers
    Level 1 (0 points)
    Apr 30, 2015 2:39 PM in response to dinmakers

    Option #1 -- IF tunneling IPv4 traffic only --> Configure SplitInclude (tunnelspecified) policy *AND* enable "Client Bypass Protocol" on ASA Group Policy. Confirm the Group Policy is for IPv4 only with no IPv6 Tunnel List and no IPv6 Address Pool configurations.

     

    Option #2 -- IF tunneling BOTH IPv4 and IPv6 - Configure SplitInclude (tunnelspecified) policy for BOTH IPv4 and IPv6 (includes both IPv4 and IPv6 Tunnel Lists and Address Pools). "Client Bypass Protocol" should remain the default which is disabled.

     

    Option #3 -- (which may not be an option or the desired) -->  Configure a Tunnel-All Policy

     

    NOTES:

    "Client Bypass Protocol" option is only available ASA v9.x+

    No modifications to the AnyConnect Clients required.

  • by tc1210id,Helpful

    tc1210id tc1210id Apr 30, 2015 4:39 PM in response to iacuser
    Level 1 (5 points)
    Apr 30, 2015 4:39 PM in response to iacuser

    I gave up on Cisco's Anyconnect client and installed Openconnect from Macports.

     

    sudo port install openconnect

    Open a terminal

    sudo /opt/local/sbin/openconnect -u <username> --authgroup < group > https://<company VPN URL>

     

    This fixed my issue.

Page 1 Next